Post AVhzBdD8vmH5Deg8VE by enkiusz@is-a.cat
(DIR) More posts by enkiusz@is-a.cat
(DIR) Post #AVgtlZb13SenY8dkjQ by sjvn@mastodon.social
2023-05-12T21:21:26Z
0 likes, 1 repeats
EU's Cyber Resilience Act contains a poison pill for open source developers https://www.theregister.com/2023/05/12/eu_cyber_resilience_act/ by @sjvn The EU still has time to fix this security law. But, if it doesn’t, it will prove a disaster for both #opensource and all technology-based businesses.
(DIR) Post #AVgtlaJKOi6PlZN8ng by kravietz@agora.echelon.pl
2023-05-15T21:00:15.778248Z
0 likes, 1 repeats
@sjvn The Register should actually read the draft of #CyberResilienceAct , which clearly makes that distinction in item 10 of the preamble:In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.[^1]The fact that you see companies such as Microsoft (through GitHub) speaking against CRA is quite telling: because if FOSS volunteers aren’t legally responsible for software #security under CRA, then who will be? Well, of course the Microsofts, Amazons and RedHats of the world, who take free software and sell products based on it as well as support contracts for #FOSS packages. This is precisely why they started this “grassroots” disinformation campaign, just like Google did with “ACTA2”, having even Python Software Foundation confused to repeat the nonsense:The existing language makes no differentiation between independent authors who have never been paid for the supply of software and corporate tech behemoths selling products in exchange for payments from end-users.[^2][^1]: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act [^2]: https://pyfound.blogspot.com/2023/04/the-eus-proposed-cra-law-may-have.html
(DIR) Post #AVgulh75CpVKomGEro by PublicLewdness@freespeechextremist.com
2023-05-15T21:11:53.322817Z
0 likes, 0 repeats
@sjvn I never understand how the EU gets such praise. They're as dirty as any other govt entity.
(DIR) Post #AVgvGHVmRTpWOQOjaq by charliebrownau@poa.st
2023-05-15T21:17:24.784846Z
0 likes, 0 repeats
@PublicLewdness @sjvn Corrupt artificially lifts up others that are corrupt and part of the ((( system )))
(DIR) Post #AVgyqVVUBYF05OE304 by kravietz@agora.echelon.pl
2023-05-15T21:57:14.361901Z
0 likes, 2 repeats
@sjvn After reading the three The Register articles[^1][^2][^3] on the #CyberResilienceAct I have an impression that British press is again doing exactly what they have done on #Brexit - taking EU ideas their sponsors don’t like and intentionally distorting them to create an utterly absurd picture of “Brussels idiots”, while perfectly realising they’re lying. Just read this:But the EU commissioners don’t have a clue about how open source software works. Or, frankly, what it is. They think that open source is the same as proprietary software with a single company behind it that’s responsible for the work and then monetizes it. Nope.[^1]Note this is not written by some Daily Mail intern who doesn’t distinguish “directive” from “regulation”, this is written by an IT journalist who clearly has read the CRA draft. He perfectly understands what he’s writing about, he knows how the software market works. And then he writes this:The CRA’s underlying assumption is that you can just add security to software, like adding a new color option to your car’s paint job. We wish! Securing software is a long, painful process. Many open source developers have neither the revenue nor resources to secure their programs to a government standard. The notional open source developer in Nebraska, thanklessly maintaining a vital small program, may not even know where Brussels is in Europe (it’s in Belgium). They can’t afford to secure their software to meet EU specifications.[^1]I have spent quite large part of my professional life in software #security and I do #FOSS, so let me correct this misleading paragraph: “Notional open source developer in Nebraska” may not have resources for user support and security, but doesn’t have, because CRA clearly excludes him from the regulation (preamble, item 10) Because large companies still want to use the Nebraska library, and because large companies like to have “software support contracts”, they do pay for the latter to “software support companies” whose names we all know. Majority of the “software support company” job is to repackage the original FOSS library and cash “support contract” payment. This is exactly how we ended with OpenSSL library being placed literally everywhere for decades until someone decided to have a look and found tons of vulnerabilities. Could these vulnerabilities have been found earlier? Of course: the software (SAST, DAST, IAST etc) to do it is widely available. There’s just one problem: it’s bloody expensive. Of course, Nebraska dev won’t spend 10^5 USD annual cost of a decent SAST scanner just for peace of mind. Otherwise, if someone sends a merge request with a fix, he or she will likely happily merge it. But hey, maybe there’s someone in the food chain who is already casually cashing a lot of money for repackaging the Nebraska free software that could possibly spend a fraction of it for that kind of maintenance? 🤔Make your own mind about who might be the most impacted by CRA here… [^1]: https://www.theregister.com/2023/05/12/eu_cyber_resilience_act/ [^2]: https://www.theregister.com/2023/01/30/opinion_eu_foss_security/ [^3]: https://www.theregister.com/2022/09/16/eu_cyber_resilience_act/
(DIR) Post #AVhmyiGjcDkzgwQrDs by sjvn@mastodon.social
2023-05-15T22:14:34Z
0 likes, 0 repeats
@kravietz Since I live in the States, I don't have a dog in the Brexit/EU fight, I will say that I think leaving the EU was about as stupid a thing as the UK could have done. But, I also know a thing or two about open source and the law. And, I and the many open-source leaders I cited, think that the CRA, taken as a whole, is bad for open-source development.
(DIR) Post #AVhmymHEiIXE7ehJYm by kravietz@agora.echelon.pl
2023-05-16T07:18:55.781873Z
0 likes, 0 repeats
@sjvnBut why? The primary argument cited by The Register is clearly false, easily debunked by simply reading CRA draft.
(DIR) Post #AVhzBdD8vmH5Deg8VE by enkiusz@is-a.cat
2023-05-16T09:35:28Z
1 likes, 0 repeats
@kravietz @sjvn the one who will end up paying will litery be redhat and canonical
(DIR) Post #AVijmQGGmHY2z1jvu4 by sjvn@mastodon.social
2023-05-16T15:34:55Z
0 likes, 0 repeats
@kravietz I quoted many open-source professionals who've read the same draft and have come to a completely different conclusion.
(DIR) Post #AVijmTe8C1PxTtvX0q by samueljohnson@mstdn.social
2023-05-16T16:57:26Z
1 likes, 0 repeats
@sjvn @kravietz No need for perfection on the first iteration (GDPR is far from perfect). EU can and will fix issues--eventually or sooner. It isn't quite as susceptible to the influence of money as some legislatures and does have real collective power when it chooses to act.
(DIR) Post #AVijsuzXR8cW1q0lH6 by kravietz@agora.echelon.pl
2023-05-16T18:19:05.036488Z
0 likes, 0 repeats
@sjvn That’s my very point, it doesn’t seem that they have actually read it. Instead, they’re just beating a strawman.